Form authentication and authorization in ASP.NET

This article will explain how to secure websites using the ASP.NET Forms Authentication.

Introduction

As secure information is the key to efficient web programming, web application programmers always have security concerns. This article will explain how to secure your website using ASP.NET Form Authentication.

This article assume that the reader is already familiar with ASP.NET programming.

Keywords

web.config: Application configuration files contain settings specific to an application. This file contains the configuration settings that the common language runtime reads (such as the assembly binding policy, remoting objects, and so on), and settings that the application can read [MSDN].

Authorization: The purpose of authorization is to determine whether an identity should be granted the requested type of access to a given resource [MSDN].

Authentication: Authentication is the process of discovering and verifying the identity of a principal, by examining the user's credentials and validating those credentials against some authority. The information obtained during authentication is directly usable by your code. That is, once the identity of the principal is discovered, you can use the .NET Framework role-based security to determine whether to allow that principal to access your code [MSDN].

Background

I’ve searched so many sites for a code that I can with the help of it, secure websites from unauthorized access. After searching C# books, I found some nice code that helped me to create this simple application. Hope it can help as a basic architecture.

There are three kinds of authentication in ASP.NET:

Form,

Windows, and

Passport.

This article will focus on the first type.

Form authentication is cookie based, as ASP.NET places a cookie in the client machine in order to track the user. If the user requests a secure page and has not logged in, then ASP.NET redirects him/her to the login page. Once the user is authenticated, he/she will be allowed to access the requested page.

Using the code

In the web.config, change the mode of authentication to Forms, then add loginUrl="your default page".

In this section, you will set the default page of the system. The default page is the page that the system will redirect the user to, whenever a fault happens while the user tries to access a secured page.

<!-- AUTHENTICATION
This section sets the authentication policies
of the application. Possible modes are "Windows",
"Forms", "Passport" and "None"
"None" No authentication is performed.
"Windows" IIS performs authentication (Basic,
Digest, or Integrated Windows) according to
its settings for the application.
Anonymous access must be disabled in IIS.
"Forms" You provide a custom form (Web page)
for users to enter their credentials, and then
you authenticate them in your application.
A user credential token is stored in a cookie.
"Passport" Authentication is performed via
a centralized authentication service provided
by Microsoft that offers a single logon
and core profile services for member sites.
--><authenticationmode="Forms"><formsloginUrl="Login.aspx"></forms></authentication>

This section of the web.config determines the users who will be authorized to or denied from the website. The default value <deny users="?" /> means to deny any anonymous (unauthenticated) user trying to access the website. However, this value can be changed. E.g., <deny users="john”, “smith”, “Ahmed” /> means to deny the users: john, smith and Ahmed from accessing this website - it is a black list- or you can say <deny users="*" /> <allow users="john”, “smith”, “Ahmed” /> which means, deny all users except john, smith, and Ahmed.

Roles

In some business websites, multiple employees would need access to a system in order to do specific tasks. However, each employee would have a specific role, and specific operations to do, according to the nature of his/her job or security level. E.g., an HR manager might not allowed to view the data of the seals department.

ASP.NET provides the concept of roles that gives each role a different view on specific pages.

location here means the folder name which holds the .aspx for some specific role. As the example shows, <location path="HRpages"> means that all .aspx files under the HRpages folder are protected. <allow roles="HR" /><deny users="*" /> mean deny every one from accessing pages under HRpages except those having the HR role.

Login.aspx.cs

This section will show the code that reads the password and the user name from login.aspx and redirects the user to a specific page according to his/her role.

The object ticket1 is of type FormsAuthenticationTicket and provides a means of creating and reading the values of a forms authentication cookie. The previous code will redirect the user HR_manager after checking his/her password. If the password is correct then it will create a cookie to track the user and encrypt the content of this cookie.

One of the FormsAuthenticationTicket constructors takes the following parameters:

version - the version number.

name - the user name associated with the ticket.

issueDate - the time at which the cookie was issued.

expiration - the expiration date for the cookie.

isPersistent - true if the cookie is persistent; otherwise, false.

userData - user-defined data to be stored in the cookie [MSDN].

Related tutorials

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

Share

About the Author

Ahmed J. Kattan Bachelor degree from Jordan University of Science and Technology computer science department, Master Degree from University of Essex and PhD student at University of Essex ”United Kingdom”, I have written several applications, designed multiple algorithms and several publications. My favorite languages are C++ and C#.